Dear readers,

During the last post (http://isqworld.com/2008/09/17/part-1-security-awareness-is-not-good-security-behavior/) I had mentioned about the difference between “Awareness” and “Behavior”. “Awareness” means, “I know”, “Behavior” means, “I know and I do”. The gap between “Awareness” and “Behavior” can reduced by “Enforcement”.

Let me explain with two case studies, where we used simple but powerful enforcement strategies that changed user behavior regarding information security.

Case study 1 – In this case the customer was an Offshore Development Company based in India that has a primarily young workforce. The challenges the company faced were as follows,

1) The workforce was downloading songs and videos and storing them on office systems
2) The company had strict policies that employees should not forward the jokes, porn content etc. that they receive. The justification was that, “what comes into the Inbox” is not in one’s hands, but what goes out, definitely is
3) Connecting external devices on the system was disallowed

We devised a simple audit strategy whereby we would do surprise audits of systems at random. But, there was a psychological strategy we employed. We would audit the system and corroborate the findings with the employee in his presence. We used a hard copy audit sheet and noted down the following,

1) Name of the employee
2) Employee ID
3) Time and date of the audit
4) Serial number of the computer or the laptop
5) Violations if any or if there were no violations that too was noted

Once this was done, the auditee was asked to corroborate the findings and SIGN on the document. Subsequently the auditor too would sign it.

Now, there were some instances when the auditee refused to sign the document. The auditor in this case would mention that the “AUDITEE Refused to sign” and inform the information security officer about the same. The information security officer, would then give a call to the employee or ask for a meeting to explore the reasons why.

Now, many readers may be thinking, “what’s so great about this strategy?”. The answer is, the greatness is not in the strategy, but in CONSISTENT REPETITION. To understand this, please view this graph before proceeding – http://www.isqworld.com/wp-content/uploads/enforcement.pdf

In the graph you will see that there was no major change in the “non-compliance” stats for the first 9 months. But, between the 9th and 12th month, there was a sudden dip in non-compliance (almost 35%). What was the reason. The answer is,

1) Employees understood that this audit was serious business and not a once-in-a-blue-moon activity
2) Employees realized that audit could happen anytime and there was no exceptions
3) When a few employees were called for a meeting with the information security officer, the news spread like wildfire (thanks to Corporate gossip culture )

So, there is no magic formula, but good old repetetion of enforcement strategies

Case study 2 – This is an interesting case study. The client is an electronic retail chain and pretty old fashioned. In fact the CEO of the company started using a computer only in 2007. The client has 22 branches that sells electronic goods and the sales system is powered by an ERP application. Each branch manager has a login and password using which he authorizes a sales and notifies to ship the item from the warehouse. As it often happens, the managers started sharing the passwords with cashiers because they wanted to avoid the hassle of inputting the passwords numerous times during the day. Soon an instance of fraud happened.

The solution the company found was simple. The company conducts financial audits every week for the branch office. They incorporated a simple information security audit with 4 check-points into the financial audit procedure.

1) Is the ERP system “logged-in and unattended”?
2) Are food items or drinks kept near the computer?
3) Has the manager changed the password as required?
4) Has the anti-virus been updated?

Any violation has a simple penalty. The first violation made the manager receive a “memo”. The second one meant that the manager lost 5% of his annual bonus. The annual bonus was an assured component equal to 2 months’ gross pay.

The system worked like a charm and there is hardly any non-compliance.

Now, I request you to go back to my document – http://www.isqworld.com/wp-content/uploads/enforcement.pdf and see page 2 and 3. I have explained the simple concept behind enforcement as a graph.

1) Graph 1 shows that people make security trade-offs (i.e. don’t give importance to security) if there is personal inconvenience. It is like jumping traffic signals if you are in a hurry

2) Graph 2 shows that if there is a “COST” attached to a trade-off, then the trade-off will reduce. The COST can be TIME, MONEY, QuALITY of LIFE etc. For example, in case-study 2, the electronic retail chain linked every security trade-off with loss of money for the nmanager. So, for every jumping of traffic signal, if there is a system of automatic fining of Rs. 5000/- then soon no one will jump traffic signals.

So, what is your enforcement strategy? What is the cost you plan to implement on employees for every security trade-off? And, are you prepared to be consistent and repetetive with the enforcement.

Good luck

Anup

www.himis.org (HIMIS – Human Impact Management for Information Security)